I realize I have to trust LastPass company to some degree, especially from the time I enter the “master password” to the time Lastpass enters another website’s password for me. But I have a few questions:

1.) Is there ‘testing’ I can do to look and see if any of the passwords are stored locally on my machine ?

2.) Does LastPass store any passwords (in encrypted form, of course) – locally on my machine ? Do other apps enable storing locally encrypted passwords, for example, as an alternative to the LastPass approach ?

3.) Is there a tool to let me watch what data LastPass sends over the network wire to ensure I don’t see any unencrypted passwords being sent out ? Especially something that lets me view the wire data in a human-readable format that would allow me to search a file for the unencrypted password, and hopefully, not find it in the outgoing network stream from the app ?

4.) How does LastPass protect from ‘keyloggers’ – or does it assume my antivirus software has covered this vulnerability (if so – what’s a recommended program or safety practice to avoid being hacked by keylogger software ?)

5.) Is it worth to pay the yearly subscription rate for LastPass, or is the free version adequate (if you know how to get the most out of it ?

David

July 22, 2013 at 8:16 am

Intuitive Password is a nice password manager, looks like a new service with all security features developed in mind. Check it out http://www.intuitivepassword.com

it's 4 months now being using lastpass and i find it very useful and i have paid for it . it really worth it .

Oron Joffe

February 4, 2013 at 12:25 pm

Lastpass is as trustworthy as any company. That of course is not a guarantee that it's good enough *for you*, but that's the way it is. The passwords are encrypted en-route between your computer and the cloud (and they even support multifactor authentication for extra security), and the passwords are kept encrypted on their servers. Now, regarding our specific questions:

1.) Given that the passwords will be encrypted, I don't see what practical testing you could do to find out, but see next point.
2.) I don't think lastpass keeps a local copy (it kind of defeats the purpose!), but I'm not sure. Try contacting their tech. support and get an answer from them! There are many other products (including of course the browsers, but also keepass etc) which keep a local encrypted database of the passwords. These are inherently less secure since the database can be stolen and the passwords cracked at the hacker's leisure (used to be a big problem with IE).
3.) You could use a packet sniffer (they're plenty about, just google the term) to monitor the traffic between your PC and lastpass's address. I can't imagine this would happen though. Lastpass exists on its reputation as a safe way to keep your passwords, and they say that they encrypt their transmissions; why would they transmit them in the clear?
4.) There are several ways in which lastpass protects from keyloggers, the most obvious being the "screen keyboard" (https://lastpass.com/features_free.php), but the real benefit of a system like that is that once lastpass memorises your passwords, you'll never need to type them again, so as long as your system was free of keyloggers to begin with, you are a lot safer than without it!
5) Both are good for what they do, but how much the extra features are worth for you is something you'll have to consider yourself.

I personally use 1Password because it doesn't store your passwords in the cloud. I believe LastPass is very secure, but if their server get hacked billions of passwoords can easily be stolen. 1Password stores the password file on your local hdd, so there is little to no risk of passwords being stolen.https://agilebits.com/onepassword
It has desktop and android/iPhone versions

Switchblade Rebirth

February 4, 2013 at 9:56 am

There have been rumors that LastPass' was attacked of sorts, but I'd still trust it nonetheless.

Rob Hindle

February 4, 2013 at 12:24 pm

Yes "of sorts" is correct and not just rumours, LastPass acknowledge that there had been some suspicious activity and advised that as a precautionary measure (and good practise anyway) users with weak master passwords should change to stronger ones. What might have been stolen was heavily encrypted but underlines the risk of using a poor master password for your LastPass vault.
"Heavily encrypted" doesn't mean 100% secure, it means it takes an awful lot of processor power and time to decrypt - the longer and more complicated the password the longer it takes - maybe years even on the fastest computers we've got. If you heavily encrypt a widely used password like "letmein" there's barely a need to even bother trying to decrypt it, it's a rubbish password to start with.

Alan Wade

February 4, 2013 at 8:00 am

I have used LastPass for a long time now and trust them 100%. There are no passwords stored on your computer at all.

Tug Ricks

February 4, 2013 at 7:55 am

I'm a fan of Lastpass, and love having access to it on my phone. That alone makes the $12 per year well worth it. (Mobile access is for premium subscription only) So do you plan on using it on a mobile device? If so, I'd go for the the paid version. Oh, and it's available with MUO points in the rewards section!

Junil Maharjan

February 4, 2013 at 3:52 am

i have not used lastpass but have heard that it is pretty good. but the best way to secure your passwords is to make them hard to guess and crack by using alphabets, numbers and symbols on your password and use a make up word. eg. p@swd23#$%

Rob Hindle

February 4, 2013 at 12:09 pm

That's right but it's not the problem LastPass is trying to address. LastPass is for storing those passwords securely because you are advised NOT to use the same password in multiple web sites and many of us have dozens or even hundreds of passwords. They are a lot harder to remember if they are like your example so LastPass provides an alternative to remembering them all.

Jose Paolo Gonzales Otico

February 4, 2013 at 1:42 am

I've been using it for roughly 6 months now, and I honestly recommend it. If you really don't trust the company then just use something like KeePass. This video essentially answers most of your questions:http://www.youtube.com/watch?v=r9Q_anb7pwg

Aska Nag

February 4, 2013 at 12:12 am

Hi!
I don't trust LastPass, my passwords are stored on the server, it is clear that they are encrypted, but nonetheless. To store my passwords I use Sticky Password Pro. Very handy program, there is a portable version.
Best regards!